All Products
Search
Document Center

Object Storage Service:OSS authorization syntax and elements

Last Updated:Jun 03, 2026

OSS uses JSON-formatted authorization policies for fine-grained access control. This topic is a quick reference for the syntax and elements of these policies.

Authorization syntax

OSS authorization policies use JSON with two core fields: Version and Statement.

Syntax structure

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow|Deny",
            "Action": ["oss:ActionName"],
            "Principal": ["UID|*"],
            "Resource": ["acs:oss:*:*:bucket-name/*"],
            "Condition": {
                "ConditionOperator": {
                    "ConditionKey": ["Value"]
                }
            }
        }
    ]
}

Field descriptions

Field

Description

Required

Version

The policy version. Fixed to 1.

Yes

Statement

The policy body. Contains one or more allow or deny rules.

Yes

Statement elements

Element

Description

Required

Effect

The policy effect. Valid values: Allow and Deny.

Yes

Action

The operation on a resource. Supports the wildcard *.

Yes

Principal

The entity the policy affects, such as a user, account, or role. An empty list [ ] is equivalent to ["*"]. Note: RAM policies do not include this field.

Required for bucket policies

Resource

The resources the policy affects. Supports the wildcard *.

Yes

Condition

The conditions under which the policy takes effect. Multiple conditions use an AND relationship: all conditions must be met.

No

Action

Actions are categorized into service-level, bucket-level, and object-level operations.

Service level

API

Action

API description

ListBuckets (GetService)

oss:ListBuckets

Lists all buckets that the requester owns.

ListUserDataRedundancyTransition

oss:ListUserDataRedundancyTransition

Lists all storage redundancy transition tasks for the requester.

None

oss:ActivateProduct

Activates OSS and the Content Moderation service.

None

oss:CreateOrder

Creates orders for OSS resource plans.

PutPublicAccessBlock

oss:PutPublicAccessBlock

Enables Block Public Access for all of OSS.

GetPublicAccessBlock

oss:GetPublicAccessBlock

Gets the global Block Public Access configuration.

DeletePublicAccessBlock

oss:DeletePublicAccessBlock

Deletes the global Block Public Access configuration.

Bucket level

API

Action

API description

PutBucket

oss:PutBucket

Creates a bucket.

GetBucket (ListObjects)

oss:ListObjects

Lists information about all objects in a bucket.

GetBucketInfo

oss:GetBucketInfo

Views information about a bucket.

GetBucketLocation

oss:GetBucketLocation

Views the location information of a bucket.

GetBucketStat

oss:GetBucketStat

Gets the storage capacity and number of files in a bucket.

PutBucketVersioning

oss:PutBucketVersioning

Sets the versioning state for a specified bucket.

GetBucketVersioning

oss:GetBucketVersioning

Gets the versioning state of a specified bucket.

ListObjectVersions (GetBucketVersions)

oss:ListObjectVersions

Lists version information for all objects in a bucket, including delete markers.

PutBucketAcl

oss:PutBucketAcl

Sets or modifies the ACL of a bucket.

GetBucketAcl

oss:GetBucketAcl

Gets the ACL of a bucket.

DeleteBucket

oss:DeleteBucket

Deletes a bucket.

InitiateBucketWorm

oss:InitiateBucketWorm

Creates a retention policy.

AbortBucketWorm

oss:AbortBucketWorm

Deletes an unlocked retention policy.

CompleteBucketWorm

oss:CompleteBucketWorm

Locks a retention policy.

ExtendBucketWorm

oss:ExtendBucketWorm

Extends the retention period in days for objects in a bucket that has a locked retention policy.

GetBucketWorm

oss:GetBucketWorm

Gets information about a retention policy.

PutBucketLogging

oss:PutBucketLogging

Enables log storage for a bucket.

oss:PutObject

When log storage is enabled for a source bucket, this action writes logs to the destination bucket.

GetBucketLogging

oss:GetBucketLogging

Views the log storage configuration of a bucket.

DeleteBucketLogging

oss:DeleteBucketLogging

Disables log storage for a bucket.

PutBucketWebsite

oss:PutBucketWebsite

Configures a bucket for static website hosting and sets its redirection rules (RoutingRule).

GetBucketWebsite

oss:GetBucketWebsite

Views the static website hosting status and redirection rules of a bucket.

DeleteBucketWebsite

oss:DeleteBucketWebsite

Disables static website hosting for a bucket and clears its redirection rules.

PutBucketReferer

oss:PutBucketReferer

Configures hotlink protection for a bucket.

GetBucketReferer

oss:GetBucketReferer

Views the hotlink protection (Referer) configuration of a bucket.

PutBucketLifecycle

oss:PutBucketLifecycle

Sets a lifecycle rule for a bucket.

GetBucketLifecycle

oss:GetBucketLifecycle

Views the lifecycle rule of a bucket.

DeleteBucketLifecycle

oss:DeleteBucketLifecycle

Deletes the lifecycle rule of a bucket.

PutBucketTransferAcceleration

oss:PutBucketTransferAcceleration

Configures transfer acceleration for a bucket.

GetBucketTransferAcceleration

oss:GetBucketTransferAcceleration

Views the transfer acceleration configuration of a bucket.

ListMultipartUploads

oss:ListMultipartUploads

Lists all in-progress multipart upload events that have been initiated but not completed or aborted.

PutBucketCors

oss:PutBucketCors

Sets the cross-origin resource sharing (CORS) rules for a specified bucket.

GetBucketCors

oss:GetBucketCors

Gets the current CORS rules for a specified bucket.

DeleteBucketCors

oss:DeleteBucketCors

Disables the CORS feature for a specified bucket and clears all rules.

PutBucketPolicy

oss:PutBucketPolicy

Sets the authorization policy for a specified bucket.

GetBucketPolicy

oss:GetBucketPolicy

Gets the authorization policy of a specified bucket.

DeleteBucketPolicy

oss:DeleteBucketPolicy

Deletes the authorization policy of a specified bucket.

PutBucketTags

oss:PutBucketTagging

Adds or modifies the tags of a specified bucket.

GetBucketTags

oss:GetBucketTagging

Gets the tags of a bucket.

DeleteBucketTags

oss:DeleteBucketTagging

Deletes the tags of a bucket.

PutBucketEncryption

oss:PutBucketEncryption

Configures the encryption rules for a bucket.

GetBucketEncryption

oss:GetBucketEncryption

Gets the encryption rules of a bucket.

DeleteBucketEncryption

oss:DeleteBucketEncryption

Deletes the encryption rules of a bucket.

PutBucketRequestPayment

oss:PutBucketRequestPayment

Configures the pay-by-requester mode.

GetBucketRequestPayment

oss:GetBucketRequestPayment

Gets the pay-by-requester configuration.

PutBucketReplication

oss:PutBucketReplication

Sets the data replication rules for a bucket.

oss:ReplicateGet

Sets cross-account data replication rules for a bucket or specifies a RAM role for replication.

PutBucketRTC

oss:PutBucketRTC

Enables or disables replication time control (RTC) for an existing cross-region replication rule.

GetBucketReplication

oss:GetBucketReplication

Gets the configured data replication rules for a bucket.

DeleteBucketReplication

oss:DeleteBucketReplication

Stops data replication for a bucket and deletes its replication configuration.

GetBucketReplicationLocation

oss:GetBucketReplicationLocation

Gets the regions where destination buckets for replication can be located.

GetBucketReplicationProgress

oss:GetBucketReplicationProgress

Gets the data replication progress for a bucket.

PutBucketInventory

oss:PutBucketInventory

Configures inventory rules for a bucket.

GetBucketInventory

oss:GetBucketInventory

Views a specified inventory task in a bucket.

ListBucketInventory

oss:GetBucketInventory

Gets all inventory tasks in a bucket in a batch operation.

DeleteBucketInventory

oss:DeleteBucketInventory

Deletes a specified inventory task in a bucket.

PutBucketAccessMonitor

oss:PutBucketAccessMonitor

Configures the access tracking status for a bucket.

GetBucketAccessMonitor

oss:GetBucketAccessMonitor

Gets the access tracking status of a bucket.

OpenMetaQuery

oss:OpenMetaQuery

Enables the metadata management feature for a bucket.

GetMetaQueryStatus

oss:GetMetaQueryStatus

Gets the metadata index information for a bucket.

DoMetaQuery

oss:DoMetaQuery

Queries objects that match specified conditions and lists information sorted by specified fields.

CloseMetaQuery

oss:CloseMetaQuery

Disables the metadata management feature for a bucket.

InitUserAntiDDosInfo

oss:InitUserAntiDDosInfo

Creates an Anti-DDoS for OSS instance.

UpdateUserAntiDDosInfo

oss:UpdateUserAntiDDosInfo

Changes the status of an Anti-DDoS for OSS instance.

GetUserAntiDDosInfo

oss:GetUserAntiDDosInfo

Queries for information about Anti-DDoS for OSS instances under a specified account.

InitBucketAntiDDosInfo

oss:InitBucketAntiDDosInfo

Initializes protection for a bucket.

UpdateBucketAntiDDosInfo

oss:UpdateBucketAntiDDosInfo

Updates the protection status of a bucket.

ListBucketAntiDDosInfo

oss:ListBucketAntiDDosInfo

Gets a list of protection information for a bucket.

PutBucketResourceGroup

oss:PutBucketResourceGroup

Sets the resource group to which a bucket belongs.

GetBucketResourceGroup

oss:GetBucketResourceGroup

Queries the ID of the resource group to which a bucket belongs.

CreateCnameToken

oss:CreateCnameToken

Creates a CnameToken required for domain name ownership verification.

GetCnameToken

oss:GetCnameToken

Gets a created CnameToken.

PutCname

oss:PutCname

Attaches a custom domain name to a bucket.

yundun-cert:DescribeSSLCertificatePrivateKey

yundun-cert:DescribeSSLCertificatePublicKeyDetail

yundun-cert:CreateSSLCertificate

Attaches a certificate when you attach a custom domain name to a bucket.

ListCname

oss:ListCname

Gets a list of all custom domain names (Cnames) attached to a bucket.

DeleteCname

oss:DeleteCname

Deletes a Cname that is attached to a bucket.

PutStyle

oss:PutStyle

Sets an image style.

GetStyle

oss:GetStyle

Gets an image style.

ListStyle

oss:ListStyle

Lists image styles.

DeleteStyle

oss:DeleteStyle

Deletes an image style.

PutBucketArchiveDirectRead

oss:PutBucketArchiveDirectRead

Enables or disables real-time access of Archive objects for a bucket.

GetBucketArchiveDirectRead

oss:GetBucketArchiveDirectRead

Checks whether real-time access of Archive objects is enabled for a bucket.

CreateAccessPoint

oss:CreateAccessPoint

Creates an access point.

GetAccessPoint

oss:GetAccessPoint

Gets information about a single access point.

DeleteAccessPoint

oss:DeleteAccessPoint

Deletes an access point.

ListAccessPoints

oss:ListAccessPoints

Gets information about user-level and bucket-level access points.

PutAccessPointPolicy

oss:PutAccessPointPolicy

Configures an access point policy.

GetAccessPointPolicy

oss:GetAccessPointPolicy

Gets information about an access point policy.

DeleteAccessPointPolicy

oss:DeleteAccessPointPolicy

Deletes an access point policy.

PutBucketHttpsConfig

oss:PutBucketHttpsConfig

Enables or disables TLS version settings for a bucket.

GetBucketHttpsConfig

oss:GetBucketHttpsConfig

Views the TLS version settings for a bucket.

None

oss:ReplicateList

The list permission for replication. Lets OSS list and replicate historical data from the source bucket.

CreateAccessPointForObjectProcess

oss:CreateAccessPointForObjectProcess

Creates an object FC access point.

GetAccessPointForObjectProcess

oss:GetAccessPointForObjectProcess

Gets basic information about an object FC access point.

DeleteAccessPointForObjectProcess

oss:DeleteAccessPointForObjectProcess

Deletes an object FC access point.

ListAccessPointsForObjectProcess

oss:ListAccessPointsForObjectProcess

Gets information about user-level object FC access points.

PutAccessPointConfigForObjectProcess

oss:PutAccessPointConfigForObjectProcess

Modifies the configuration of an object FC access point.

GetAccessPointConfigForObjectProcess

oss:GetAccessPointConfigForObjectProcess

Gets the configuration information of an object FC access point.

PutAccessPointPolicyForObjectProcess

oss:PutAccessPointPolicyForObjectProcess

Configures an access policy for an object FC access point.

GetAccessPointPolicyForObjectProcess

oss:GetAccessPointPolicyForObjectProcess

Gets the access policy configuration of an object FC access point.

DeleteAccessPointPolicyForObjectProcess

oss:DeleteAccessPointPolicyForObjectProcess

Deletes the access policy of an object FC access point.

WriteGetObjectResponse

oss:WriteGetObjectResponse

Customizes the returned data and response headers.

CreateBucketDataRedundancyTransition

oss:CreateBucketDataRedundancyTransition

Creates a storage redundancy transition task.

GetBucketDataRedundancyTransition

oss:GetBucketDataRedundancyTransition

Gets a storage redundancy transition task.

DeleteBucketDataRedundancyTransition

oss:DeleteBucketDataRedundancyTransition

Deletes a storage redundancy transition task.

ListBucketDataRedundancyTransition

oss:ListBucketDataRedundancyTransition

Lists all storage redundancy transition tasks in a bucket.

PutBucketPublicAccessBlock

oss:PutBucketPublicAccessBlock

Enables Block Public Access for a bucket.

GetBucketPublicAccessBlock

oss:GetBucketPublicAccessBlock

Gets the Block Public Access configuration of a bucket.

DeleteBucketPublicAccessBlock

oss:DeleteBucketPublicAccessBlock

Deletes the Block Public Access configuration of a bucket.

PutAccessPointPublicAccessBlock

oss:PutAccessPointPublicAccessBlock

Enables Block Public Access for an access point.

GetAccessPointPublicAccessBlock

oss:GetAccessPointPublicAccessBlock

Gets the Block Public Access configuration of an access point.

DeleteAccessPointPublicAccessBlock

oss:DeleteAccessPointPublicAccessBlock

Deletes the Block Public Access configuration of an access point.

GetBucketPolicyStatus

oss:GetBucketPolicyStatus

Checks whether the current bucket policy allows public access.

PutBucketOverwriteConfig

oss:PutBucketOverwriteConfig

Configures the disallow overwrite setting for a bucket.

GetBucketOverwriteConfig

oss:GetBucketOverwriteConfig

Gets the disallow overwrite configuration of a bucket.

DeleteBucketOverwriteConfig

oss:DeleteBucketOverwriteConfig

Deletes the disallow overwrite configuration of a bucket.

Object level

API

Action

API description

PutObject

oss:PutObject

Uploads an object.

oss:PutObjectTagging

When you upload an object, use x-oss-tagging to specify the object tag.

kms:GenerateDataKey

kms:Decrypt

When you upload an object, specify that the object metadata contains X-Oss-Server-Side-Encryption: KMS.

PostObject

oss:PutObject

Uploads an object to a specified bucket using an HTML form.

AppendObject

oss:PutObject

Uploads an object by appending data.

oss:PutObjectTagging

When you upload an object by appending data, use x-oss-tagging to specify the object tag.

InitiateMultipartUpload

oss:PutObject

Initializes a multipart upload task.

oss:PutObjectTagging

When you initialize a multipart upload task, use x-oss-tagging to specify the object tag.

kms:GenerateDataKey

kms:Decrypt

When you initialize a multipart upload task, specify that the object metadata contains X-Oss-Server-Side-Encryption: KMS.

UploadPart

oss:PutObject

Uploads data in parts based on the specified object name and uploadId.

CompleteMultipartUpload

oss:PutObject

After all parts are uploaded, completes the multipart upload of the entire object.

oss:PutObjectTagging

After all parts are uploaded, completes the multipart upload of the entire object and specifies its tags.

AbortMultipartUpload

oss:AbortMultipartUpload

Cancels a multipart upload event and deletes the corresponding part data.

PutSymlink

oss:PutObject

Creates a symbolic link for a target object in OSS.

oss:PutObjectTagging

Creates a symbolic link with a specified object tag for a target object in OSS.

GetObject

oss:GetObject

Gets an object.

kms:Decrypt

Downloads an object that is encrypted with a specified KMS key.

oss:GetObjectVersion

Downloads a specified version of an object.

HeadObject

oss:GetObject

Gets the metadata of an object.

GetObjectMeta

oss:GetObject

Gets the metadata of an object, including its ETag, Size, and LastModified information.

SelectObject

oss:GetObject

Executes an SQL statement on a target object and returns the result.

GetSymlink

oss:GetObject

Gets the symbolic link of a target object.

DeleteObject

oss:DeleteObject

Deletes an object.

oss:DeleteObjectVersion

Deletes a specified version of an object.

DeleteMultipleObjects

oss:DeleteObject

Deletes multiple objects from the same bucket.

CopyObject

oss:GetObject

oss:PutObject

Copies an object between buckets in the same region. The buckets can be the same or different.

oss:GetObjectVersion

Copies a specified version of an object between buckets in the same region. The buckets can be the same or different.

oss:GetObjectTagging

oss:PutObjectTagging

Copies an object with specified tags between buckets in the same region. The buckets can be the same or different.

kms:GenerateDataKey

kms:Decrypt

When you copy an object, specify that the metadata of the destination object contains X-Oss-Server-Side-Encryption: KMS.

oss:GetObjectVersionTagging

Copies a version of an object with specified tags between buckets in the same region. The buckets can be the same or different.

UploadPartCopy

oss:GetObject

oss:PutObject

Copies data from an existing object to upload a part by adding the x-oss-copy-source header to an UploadPart request.

oss:GetObjectVersion

Copies data from a specified version of an existing object to upload a part by adding the x-oss-copy-source header to an UploadPart request.

ListParts

oss:ListParts

Lists all successfully uploaded parts that belong to a specified Upload ID.

PutObjectACL

oss:PutObjectAcl

Modifies the ACL of an object in a bucket.

oss:PutObjectVersionAcl

Modifies the ACL of a specified version of an object in a bucket.

GetObjectACL

oss:GetObjectAcl

Gets the ACL of an object in a bucket.

oss:GetObjectVersionAcl

Gets the ACL of a specified version of an object in a bucket.

RestoreObject

oss:RestoreObject

Restores an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class.

oss:RestoreObjectVersion

Restores a specified version of an object of the Archive Storage, Cold Archive, or Deep Cold Archive storage class.

PutObjectTagging

oss:PutObjectTagging

Sets or updates the tagging information of an object.

oss:PutObjectVersionTagging

Sets or updates the tagging information of a specified version of an object.

GetObjectTagging

oss:GetObjectTagging

Gets the tagging information of an object.

oss:GetObjectVersionTagging

Gets the tagging information of a specified version of an object.

DeleteObjectTagging

oss:DeleteObjectTagging

Deletes the tagging information of a specified object.

oss:DeleteObjectVersionTagging

Deletes the tagging information of a specified version of an object.

PutLiveChannel

oss:PutLiveChannel

Before uploading audio and video data over RTMP, call this API to create a LiveChannel.

ListLiveChannel

oss:ListLiveChannel

Lists specified LiveChannels.

DeleteLiveChannel

oss:DeleteLiveChannel

Deletes a specified LiveChannel.

PutLiveChannelStatus

oss:PutLiveChannelStatus

Switches the status between enabled and disabled.

GetLiveChannelInfo

oss:GetLiveChannel

Gets the configuration information of a specified LiveChannel.

GetLiveChannelStat

oss:GetLiveChannelStat

Gets the stream ingest status of a specified LiveChannel.

GetLiveChannelHistory

oss:GetLiveChannelHistory

Gets the stream ingest records of a specified LiveChannel.

PostVodPlaylist

oss:PostVodPlaylist

Generates a playlist for video-on-demand for a specified LiveChannel.

GetVodPlaylist

oss:GetVodPlaylist

Views the playlist generated from stream ingest for a specified LiveChannel within a specified time period.

None

oss:PublishRtmpStream

Pushes audio and video data streams to RTMP.

None

oss:ProcessImm

The permission to use IMM for data processing through OSS.

PostProcessTask

oss:GetObject

The permission to use IMM for data processing through a POST request.

oss:PutObject

The permission to use IMM for Saveas data processing.

ImgSaveAs

oss:PostProcessTask

Saves the processed image to a specified bucket.

CreateOfficeConversionTask

imm:CreateOfficeConversionTask

The permission to use IMM for document conversion or snapshots.

GenerateWebofficeToken

imm: GenerateWebofficeToken

Obtains a Weboffice token.

RefreshWebofficeToken

imm:RefreshWebofficeToken

Refreshes a Weboffice token.

None

oss:ReplicateGet

The read permission for replication. Lets OSS read data and metadata from the source and destination buckets, including objects, parts, and multipart uploads.

None

oss:ReplicatePut

The write permission for replication. Lets OSS write objects, multipart uploads, parts, and symbolic links, and modify metadata on the destination bucket.

None

oss:ReplicateDelete

The delete permission for replication. Lets OSS perform DeleteObject, AbortMultipartUpload, and DeleteMarker operations on the destination bucket.

Note

You must grant this action to the RAM role only when you select Sync All for data replication.

Resource pool QoS

API

Action

API description

PutBucketQoSInfo

oss:PutBucketQoSInfo

Sets throttling for a bucket in a resource pool.

GetBucketQoSInfo

oss:GetBucketQoSInfo

Gets the throttling configuration for a bucket in a resource pool.

DeleteBucketQosInfo

oss:DeleteBucketQoSInfo

Deletes the throttling configuration for a specified bucket in a resource pool.

PutBucketRequesterQoSInfo

oss:PutBucketRequesterQoSInfo

Sets bucket-level throttling for a requester.

GetBucketRequesterQoSInfo

oss:GetBucketRequesterQoSInfo

Gets the bucket-level throttling configuration for a specified requester.

ListBucketRequesterQoSInfos

oss:ListBucketRequesterQoSInfo

Gets the bucket-level throttling configurations for all requesters.

DeleteBucketRequesterQoSInfo

oss:DeleteBucketRequesterQoSInfo

Deletes the throttling configuration for a requester of a bucket.

ListResourcePools

oss:ListResourcePools

Gets information about all resource pools under the current account.

GetResourcePoolInfo

oss:GetResourcePoolInfo

Gets the throttling configuration of a specified resource pool.

ListResourcePoolBuckets

oss:ListResourcePoolBuckets

Gets the list of buckets included in a specified resource pool.

PutResourcePoolRequesterQoSInfo

oss:PutResourcePoolRequesterQoSInfo

Configures throttling for a requester of a resource pool.

GetResourcePoolRequesterQoSInfo

oss:GetResourcePoolRequesterQoSInfo

Gets the throttling configuration for a specified requester in a resource pool.

ListResourcePoolRequesterQoSInfos

oss:ListResourcePoolRequesterQoSInfos

Gets the throttling configurations for all requesters in a resource pool.

DeleteResourcePoolRequesterQoSInfo

oss:DeleteResourcePoolRequesterQoSInfo

Deletes the throttling configuration for a specified requester in a resource pool.

Vector bucket

API

Action

API description

PutVectorBucket

oss:PutVectorBucket

Creates a vector bucket.

GetVectorBucket

oss:GetVectorBucket

Gets the details of a vector bucket.

ListVectorBuckets

oss:ListVectorBuckets

Lists all vector buckets that the requester owns.

DeleteVectorBucket

oss:DeleteVectorBucket

Deletes a vector bucket.

PutBucketLogging

oss:PutBucketLogging

Enables log storage for a vector bucket.

oss:PutObject

When log storage is enabled for a source vector bucket, this action writes logs to the destination bucket.

GetBucketLogging

oss:GetBucketLogging

Views the log storage configuration of a vector bucket.

DeleteBucketLogging

oss:DeleteBucketLogging

Disables log storage for a vector bucket.

PutBucketPolicy

oss:PutBucketPolicy

Sets the authorization policy for a specified vector bucket.

GetBucketPolicy

oss:GetBucketPolicy

Gets the authorization policy of a specified vector bucket.

DeleteBucketPolicy

oss:DeleteBucketPolicy

Deletes the authorization policy of a specified vector bucket.

PutVectorIndex

oss:PutVectorIndex

Creates a vector index.

GetVectorIndex

oss:GetVectorIndex

Gets the details of a vector index.

ListVectorIndexes

oss:ListVectorIndexes

Lists all vector indexes in a vector bucket.

DeleteVectorIndex

oss:DeleteVectorIndex

Deletes a vector index.

PutVectors

oss:PutVectors

Writes vector data.

GetVectors

oss:GetVectors

Gets specified vector data.

ListVectors

oss:ListVectors

Lists all vector data in a vector index.

QueryVectors

oss:QueryVectors

Performs a vector similarity search.

DeleteVectors

oss:DeleteVectors

Deletes specified vector data from a vector index.

Resource

The Resource element specifies one or more resources. Use the asterisk (*) as a wildcard. A single bucket policy can include multiple resources.

Bucket

Category

Format

Example

Bucket level

acs:oss:{region}:{bucket_owner_id}:{bucket_name}

acs:oss:*:*:example-bucket

Object level

acs:oss:{region}:{bucket_owner_id}:{bucket_name}/{object_name}

acs:oss:*:*:example-bucket/abc.txt

Resource pool level

acs:oss:{region}:{account_id}:resourcepool/{resource_pool_name}

acs:oss:*:*:resourcepool/resource-pool-for-ai

Vector bucket

Resource level

Format

Example

All vector resources

acs:ossvector:*:*:*

acs:ossvector:*:*:*

Vector bucket

acs:ossvector:{region}:{account_id}:{bucket_name}

acs:ossvector:*:*:my-vector-bucket

Vector index

acs:ossvector:{region}:{account_id}:{bucket_name}/{index_name}

acs:ossvector:*:*:my-vector-bucket/myindex

Vector data

acs:ossvector:{region}:{account_id}:{bucket_name}/{index_name}/*

acs:ossvector:*:*:my-vector-bucket/myindex/*

Note

The region field currently supports only the wildcard asterisk (*).

Condition

The Condition element specifies when a policy takes effect. It consists of a condition operator, a condition key, and a condition value.

Condition operators

Condition operator type

Supported types

String

  • StringEquals

  • StringNotEquals

  • StringEqualsIgnoreCase

  • StringNotEqualsIgnoreCase

  • StringLike

  • StringNotLike

Number

  • NumericEquals

  • NumericNotEquals

  • NumericLessThan

  • NumericLessThanEquals

  • NumericGreaterThan

  • NumericGreaterThanEquals

Date and time

  • DateEquals

  • DateNotEquals

  • DateLessThan

  • DateLessThanEquals

  • DateGreaterThan

  • DateGreaterThanEquals

Boolean

Bool

IP Address Type

  • IpAddress

  • NotIpAddress

  • IpAddressIncludeBorder

Condition keys

Condition key

Description

acs:SourceIp

Specifies a standard IP CIDR block. Supports the wildcard asterisk (*).

acs:SourceVpc

Specifies the VPC. The value can be a specific VPC ID or vpc-*.

Note

When using acs:SourceVpc to restrict access by source VPC, ensure that the VPC region matches a region where OSS supports gateway endpoints. Otherwise, authentication requests cannot be associated with the correct VPC, and the requests fail. Regions where OSS supports gateway endpoints.

acs:UserAgent

Specifies the HTTP User-Agent header.

Type: string.

acs:CurrentTime

The time when the request reaches the OSS server.

Format: ISO 8601.

acs:SecureTransport

The protocol type of the request. Valid values:

  • true: Only HTTPS requests are allowed.

  • false: Only HTTP requests are allowed.

If acs:SecureTransport is not set, both HTTP and HTTPS are allowed.

oss:x-oss-acl

Restricts the bucket ACL type. Valid values:

  • private: Private.

  • public-read: Public read.

  • public-read-write: Public read-write.

Bucket ACL.

oss:x-oss-object-acl

Restricts the object ACL type. Valid values:

  • private: private.

  • public-read: Public read.

  • public-read-write: Public read-write.

  • default: Inherits the Bucket ACL.

Object ACL.

oss:Prefix

Lists objects with a specified prefix in a ListObjects request.

oss:Delimiter

Groups object names in a ListObjects request.

acs:AccessId

The AccessId included in the request.

oss:BucketTag

A bucket tag.

A single BucketTag can be used as a Condition. When you set multiple BucketTags, you must add the oss:BucketTag/ prefix to each BucketTag to form multiple Conditions.

acs:MFAPresent

Specifies whether multi-factor authentication (MFA) is enabled.

Values:

  • true: MFA is enabled.

  • false: MFA is not enabled.

oss:ExistingObjectTag

The requested object is already tagged.

A single ObjectTag can be used as a condition. When you use multiple ObjectTags, you must add oss:ExistingObjectTag/ before each ObjectTag.

This applies mainly to APIs for reading files, such as GetObject and HeadObject, and ObjectTagging APIs, such as PutObjectTagging and GetObjectTagging.

oss:RequestObjectTag

The object tags included in the request.

A single object tag can be used as a condition. When multiple object tags are specified, you must add oss:RequestObjectTag/ before each object tag.

This mainly applies to API operations for writing files, such as PutObject and PostObject, and ObjectTagging API operations, such as PutObjectTagging and GetObjectTagging.

References